Problem adding SSL certificate Ubuntu server


#1

Hi,

I have tried to install a SSL certificate for my website, but I get the following error when running command sudo certbot --nginx

Failed authorization procedure. bankofharry.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bankofharry.nl/.well-known/acme-challenge/kntRkxc0oGU8oKPwCBxbSdvf9KvcpZpIFalf2Z4fG2I: "<!doctype html><html lang=“nl”> <meta charset=“UTF-8”> <meta name=“viewport” content=“width=device-width, user-scalable=no”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: bankofharry.nl
    Type: unauthorized
    Detail: Invalid response from
    http://bankofharry.nl/.well-known/acme-challenge/kntRkxc0oGU8oKPwCBxbSdvf9KvcpZpIFalf2Z4fG2I:
    "<!doctype html><html lang=“nl”> <meta charset=“UTF-8”>

    <meta name=\"viewport\" content=\"width=device-width, user-scalable=no"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My DNS settings look like:

Anyone an idea what I should fix? Thank you


#2

The site’s IPv6 address is running Apache, so certbot --nginx won’t work, unless the right reverse proxying is set up.

The site’s IPv4 address is running Nginx.

Are you sure the DNS records and web server setups are correct?

https://letsdebug.net/bankofharry.nl/22103


#3

Thanks, indeed, I had to remove that IPv6 records, since no IPv6 IP present.

Now I am some steps further, installing the SSL seemd to work, but the debug page still shows some errors.

https://letsdebug.net/bankofharry.nl/22117


#4

Hi @CryptoNerd0_9

your site is completely invisible ( https://check-your-website.server-daten.de/?q=bankofharry.nl ):

Domainname Http-Status redirect Sec. G
http://bankofharry.nl/
95.179.147.177 -2 1.050 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80
http://www.bankofharry.nl/
95.179.147.177 -2 1.040 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80
https://bankofharry.nl/
95.179.147.177 -2 1.056 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:443
https://www.bankofharry.nl/
95.179.147.177 -2 1.044 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:443
http://bankofharry.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.147.177 -2 1.040 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80
http://www.bankofharry.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.147.177 -2 1.044 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80

Looks like you have a firewall or another active blocking component.

Blocking /.well-known/acme-challenge/random-filename is critical. There a http status 404 (Not found) is expected.


#5

True about firewall, ufw is active and I followed steps described in https://gist.github.com/Helmi/68879e72d2221ef0be24fcd6776c0c97

uwf status command gives

image


#6

Then there must be a second blocking instance.

Or your VirtualHost - configuration is wrong, so a request doesn’t find your server.

Try to open a link like

http://www.bankofharry.nl/.well-known/acme-challenge/1234

in your browser.


#7

Tried a few links, f.e. http://www.bankofharry.nl/var/www/html/index.nginx-debian.html

But it doesn’t work, it gives connection refused message.

Strange thing is, that http://95.179.147.177:80 does not work, but http://bankofharry.nl:80 gives ‘welcome to nginx’ page.


#8

But only internal. I see again “Connection refused”.

PS: If you don’t have a Standard-VHost, it’s ok that the ip doesn’t answer.


#9

Hmm , there was something cached, tried with Ctrl+F5, then indeed connection refused.

The VM I am running if on Vultr. Any idea what more to check?
Thanks for your quick replies by the way, much appreciated!


#10

I am wondering what’s blocking these ports, because when you go directly to http://95.179.147.177:8081 it works (however, not secured).


#11

That’s your answer, I can see this page.

The internal redirect port 80 -> port 8081 doesn’t work.


#12

Yep: Checking this port ( https://check-your-website.server-daten.de/?q=bankofharry.nl%3A8081 ):

Domainname Http-Status redirect Sec. G
http://bankofharry.nl:8081/
95.179.147.177 302 http://bankofharry.nl/login 0.043 D
http://www.bankofharry.nl:8081/
95.179.147.177 302 http://www.bankofharry.nl/login 0.040 D
http://bankofharry.nl/login -2 1.060 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80
http://www.bankofharry.nl/login -2 1.067 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 95.179.147.177:80
https://bankofharry.nl:8081/
95.179.147.177 -4 0.067 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.bankofharry.nl:8081/
95.179.147.177 -4 0.070 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://bankofharry.nl:8081/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.147.177 404 0.083 A
Not Found
http://www.bankofharry.nl:8081/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
95.179.147.177 404 0.044 A
Not Found

So /.well-known/acme-challenge works too.

But Letsencrypt requires an open port 80 and follows only redirect to port 80 or port 443.


#13

Okay, so what is best way to solve this? My website can run on any port


#14

Use the standard ports 80 / 443, not 8081.


#15

Yess, another step further, port 443 works: http://www.bankofharry.nl:443 .

2 things open still:

  • it’s not yet secured.
  • would be nice if www.bankofharry.nl would redirect to 443.

Any hint to point me in the right direction? Thanks again!


#16

This is http over port 443, not over port 80.

This is always bad. http isn’t secure.

You need one VirtualHost port 80 with a http redirect (http status 301) to https.

And a VirtualHost port 443.


#17

You seem to be getting closer to solving this…

Now the site is missing the cert chain.
You should probably be using the fullchain.pem file instead of the cert.pem file.
https://www.ssllabs.com/ssltest/analyze.html?d=bankofharry.nl
[and the cert doesn’t cover the WWW name]

And even when ignoring that, it returns error 400.
Perhaps the wrong (or non-existent) document root is being used…


#18

Guys, it’s fixed!

I tried so much things, and after your feedback, I started to understand a bit more about the fundamentals. So, I restored a snapshot I took from the VM of just before I started working on this, followed all steps described in https://gist.github.com/Helmi/68879e72d2221ef0be24fcd6776c0c97

and everything worked almost right away.

Or do you see still something wrong in one of the reports?

Thanks!


#19

Hmm still one thing, I get message: NET::ERR_CERT_COMMON_NAME_INVALID

any idea?


#20

I see, you have rechecked your domain via https://check-your-website.server-daten.de/?q=bankofharry.nl

Now most is good, port 80 and 443 works, correct redirects.

Domainname Http-Status redirect Sec. G
http://bankofharry.nl/
95.179.147.177 301 https://bankofharry.nl/ 0.036 A
http://www.bankofharry.nl/
95.179.147.177 301 https://www.bankofharry.nl/ 0.034 A
https://bankofharry.nl/
95.179.147.177 302 https://bankofharry.nl/login 1.337 B
https://www.bankofharry.nl/
95.179.147.177 302 https://www.bankofharry.nl/login 1.230 N
Certificate error: RemoteCertificateNameMismatch
https://bankofharry.nl/login 200 1.253 B
https://www.bankofharry.nl/login 200 1.287 N
Certificate error: RemoteCertificateNameMismatch

Only one thing: Your certificate

CN=bankofharry.nl
	09.02.2019
	10.05.2019
expires in 90 days 	bankofharry.nl - 1 entry

has only one domain name. So your www-version isn’t secure.

Use the same command to create a certificate, but add both domain names:

-d bankofharry.nl -d www.bankofharry.nl

Then both connections are secure.